The branch master has been updated via 0be2cc5eb3faa2c79a705fee5977fa49841c1799 (commit) via 1576dfe090c9566737f026b7d66a9dd7657e499a (commit) via e75455173bd0024ce11a83686bc9dad614068455 (commit) via 9efa0ae0b602c1c0e356009a58410a2e8b80201a (commit) from ecbfaef2aad61fae0c29c04287913af11981b82e (commit)
- Log ----------------------------------------------------------------- commit 0be2cc5eb3faa2c79a705fee5977fa49841c1799 Author: Matt Caswell <m...@openssl.org> Date: Thu Mar 21 16:41:25 2019 +0000 Complain if there are missing symbols when creating a provider .so file Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8537) commit 1576dfe090c9566737f026b7d66a9dd7657e499a Author: Matt Caswell <m...@openssl.org> Date: Thu Mar 21 11:57:35 2019 +0000 Test that we can use the FIPS provider Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8537) commit e75455173bd0024ce11a83686bc9dad614068455 Author: Matt Caswell <m...@openssl.org> Date: Wed Mar 20 14:29:05 2019 +0000 Add a no-fips Configure option Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8537) commit 9efa0ae0b602c1c0e356009a58410a2e8b80201a Author: Matt Caswell <m...@openssl.org> Date: Wed Mar 20 14:27:52 2019 +0000 Create a FIPS provider and put SHA256 in it Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8537) ----------------------------------------------------------------------- Summary of changes: Configurations/shared-info.pl | 1 + Configure | 7 +- INSTALL | 3 + crypto/build.info | 5 ++ crypto/mem.c | 12 +-- crypto/params.c | 8 ++ crypto/sha/build.info | 2 + providers/build.info | 11 +++ providers/common/digests/build.info | 4 +- providers/fips/build.info | 2 + providers/{default/defltprov.c => fips/fipsprov.c} | 38 +++++----- test/build.info | 3 + test/evp_extra_test.c | 86 +++++++++++++++++----- test/recipes/30-test_evp_extra.t | 5 +- 14 files changed, 139 insertions(+), 48 deletions(-) create mode 100644 providers/fips/build.info copy providers/{default/defltprov.c => fips/fipsprov.c} (66%) diff --git a/Configurations/shared-info.pl b/Configurations/shared-info.pl index 3df12a3..f821ad7 100644 --- a/Configurations/shared-info.pl +++ b/Configurations/shared-info.pl @@ -32,6 +32,7 @@ my %shared_info; return { %{$shared_info{'gnu-shared'}}, shared_defflag => '-Wl,--version-script=', + dso_ldflags => '-z defs', }; }, 'bsd-gcc-shared' => sub { return $shared_info{'linux-shared'}; }, diff --git a/Configure b/Configure index 62f4af5..6702bc6 100755 --- a/Configure +++ b/Configure @@ -369,6 +369,7 @@ my @disablables = ( "err", "external-tests", "filenames", + "fips", "fuzz-libfuzzer", "fuzz-afl", "gost", @@ -512,6 +513,8 @@ my @disable_cascades = ( # or modules. "pic" => [ "shared", "module" ], + "module" => [ "fips" ], + "engine" => [ grep /eng$/, @disablables ], "hw" => [ "padlockeng" ], @@ -1221,8 +1224,8 @@ foreach my $what (sort keys %disabled) { $config{options} .= " no-$what"; - if (!grep { $what eq $_ } ( 'buildtest-c++', 'threads', 'shared', 'module', - 'pic', 'dynamic-engine', 'makedepend', + if (!grep { $what eq $_ } ( 'buildtest-c++', 'fips', 'threads', 'shared', + 'module', 'pic', 'dynamic-engine', 'makedepend', 'zlib-dynamic', 'zlib', 'sse2' )) { (my $WHAT = uc $what) =~ s|-|_|g; my $skipdir = $what; diff --git a/INSTALL b/INSTALL index 5185033..c496e79 100644 --- a/INSTALL +++ b/INSTALL @@ -394,6 +394,9 @@ Don't compile in filename and line number information (e.g. for errors and memory allocation). + no-fips + Don't compile the FIPS module + enable-fuzz-libfuzzer, enable-fuzz-afl Build with support for fuzzing using either libfuzzer or AFL. These are developer options only. They may not work on all diff --git a/crypto/build.info b/crypto/build.info index a6f3524..77dcffb 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -21,6 +21,11 @@ SOURCE[../libcrypto]=\ trace.c provider.c params.c \ {- $target{cpuid_asm_src} -} {- $target{uplink_aux_src} -} +# FIPS module +SOURCE[../providers/fips]=\ + cryptlib.c mem.c mem_clr.c params.c + + DEPEND[cversion.o]=buildinf.h GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" DEPEND[buildinf.h]=../configdata.pm diff --git a/crypto/mem.c b/crypto/mem.c index 5feece3..562d6b5 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -14,7 +14,7 @@ #include <stdlib.h> #include <limits.h> #include <openssl/crypto.h> -#ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE +#if !defined(OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE) && !defined(FIPS_MODE) # include <execinfo.h> #endif @@ -30,7 +30,7 @@ static void *(*realloc_impl)(void *, size_t, const char *, int) static void (*free_impl)(void *, const char *, int) = CRYPTO_free; -#ifndef OPENSSL_NO_CRYPTO_MDEBUG +#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE) # include "internal/tsan_assist.h" static TSAN_QUALIFIER int malloc_count; @@ -94,7 +94,7 @@ void CRYPTO_get_mem_functions( *f = free_impl; } -#ifndef OPENSSL_NO_CRYPTO_MDEBUG +#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE) void CRYPTO_get_alloc_counts(int *mcount, int *rcount, int *fcount) { if (mcount != NULL) @@ -209,7 +209,7 @@ void *CRYPTO_malloc(size_t num, const char *file, int line) */ allow_customize = 0; } -#ifndef OPENSSL_NO_CRYPTO_MDEBUG +#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE) if (call_malloc_debug) { CRYPTO_mem_debug_malloc(NULL, num, 0, file, line); ret = malloc(num); @@ -250,7 +250,7 @@ void *CRYPTO_realloc(void *str, size_t num, const char *file, int line) return NULL; } -#ifndef OPENSSL_NO_CRYPTO_MDEBUG +#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE) if (call_malloc_debug) { void *ret; CRYPTO_mem_debug_realloc(str, NULL, num, 0, file, line); @@ -300,7 +300,7 @@ void CRYPTO_free(void *str, const char *file, int line) return; } -#ifndef OPENSSL_NO_CRYPTO_MDEBUG +#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE) if (call_malloc_debug) { CRYPTO_mem_debug_free(str, 0, file, line); free(str); diff --git a/crypto/params.c b/crypto/params.c index 367b2ab..8eef736 100644 --- a/crypto/params.c +++ b/crypto/params.c @@ -348,6 +348,13 @@ OSSL_PARAM OSSL_PARAM_construct_size_t(const char *key, size_t *buf, return ossl_param_construct(key, OSSL_PARAM_UNSIGNED_INTEGER, buf, sizeof(size_t), rsize); } +#ifndef FIPS_MODE +/* + * TODO(3.0): Make this available in FIPS mode. + * + * Temporarily we don't include these functions in FIPS mode to avoid pulling + * in the entire BN sub-library into the module at this point. + */ int OSSL_PARAM_get_BN(const OSSL_PARAM *p, BIGNUM **val) { BIGNUM *b; @@ -387,6 +394,7 @@ OSSL_PARAM OSSL_PARAM_construct_BN(const char *key, unsigned char *buf, return ossl_param_construct(key, OSSL_PARAM_UNSIGNED_INTEGER, buf, bsize, rsize); } +#endif int OSSL_PARAM_get_double(const OSSL_PARAM *p, double *val) { diff --git a/crypto/sha/build.info b/crypto/sha/build.info index 58d15bb..242a08e 100644 --- a/crypto/sha/build.info +++ b/crypto/sha/build.info @@ -3,6 +3,8 @@ SOURCE[../../libcrypto]=\ sha1dgst.c sha1_one.c sha256.c sha512.c {- $target{sha1_asm_src} -} \ {- $target{keccak1600_asm_src} -} +SOURCE[../../providers/fips]= sha256.c + GENERATE[sha1-586.s]=asm/sha1-586.pl \ $(PERLASM_SCHEME) $(LIB_CFLAGS) $(LIB_CPPFLAGS) $(PROCESSOR) DEPEND[sha1-586.s]=../perlasm/x86asm.pl diff --git a/providers/build.info b/providers/build.info index ec4162b..b2b5384 100644 --- a/providers/build.info +++ b/providers/build.info @@ -1 +1,12 @@ SUBDIRS=common default + +IF[{- !$disabled{fips} -}] + SUBDIRS=fips + MODULES=fips + IF[{- defined $target{shared_defflag} -}] + SOURCE[fips]=fips.ld + GENERATE[fips.ld]=../util/providers.num + ENDIF + INCLUDE[fips]=.. ../include ../crypto/include + DEFINE[fips]=FIPS_MODE +ENDIF diff --git a/providers/common/digests/build.info b/providers/common/digests/build.info index a3c2369..b98df29 100644 --- a/providers/common/digests/build.info +++ b/providers/common/digests/build.info @@ -1,3 +1,5 @@ -LIBS=../../../libcrypto SOURCE[../../../libcrypto]=\ sha2.c + +SOURCE[../../fips]=\ + sha2.c diff --git a/providers/fips/build.info b/providers/fips/build.info new file mode 100644 index 0000000..9372062 --- /dev/null +++ b/providers/fips/build.info @@ -0,0 +1,2 @@ + +SOURCE[../fips]=fipsprov.c diff --git a/providers/default/defltprov.c b/providers/fips/fipsprov.c similarity index 66% copy from providers/default/defltprov.c copy to providers/fips/fipsprov.c index 9b52429..d3671b5 100644 --- a/providers/default/defltprov.c +++ b/providers/fips/fipsprov.c @@ -19,25 +19,25 @@ static OSSL_core_get_param_types_fn *c_get_param_types = NULL; static OSSL_core_get_params_fn *c_get_params = NULL; /* Parameters we provide to the core */ -static const OSSL_ITEM deflt_param_types[] = { +static const OSSL_ITEM fips_param_types[] = { { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_NAME }, { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_VERSION }, { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_BUILDINFO }, { 0, NULL } }; -static const OSSL_ITEM *deflt_get_param_types(const OSSL_PROVIDER *prov) +static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov) { - return deflt_param_types; + return fips_param_types; } -static int deflt_get_params(const OSSL_PROVIDER *prov, +static int fips_get_params(const OSSL_PROVIDER *prov, const OSSL_PARAM params[]) { const OSSL_PARAM *p; p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); - if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL Default Provider")) + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) return 0; p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) @@ -51,36 +51,34 @@ static int deflt_get_params(const OSSL_PROVIDER *prov, extern const OSSL_DISPATCH sha256_functions[]; -static const OSSL_ALGORITHM deflt_digests[] = { - { "SHA256", "default=yes", sha256_functions }, +static const OSSL_ALGORITHM fips_digests[] = { + { "SHA256", "fips=yes", sha256_functions }, { NULL, NULL, NULL } }; -static const OSSL_ALGORITHM *deflt_query(OSSL_PROVIDER *prov, +static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov, int operation_id, int *no_cache) { *no_cache = 0; switch (operation_id) { case OSSL_OP_DIGEST: - return deflt_digests; + return fips_digests; } return NULL; } /* Functions we provide to the core */ -static const OSSL_DISPATCH deflt_dispatch_table[] = { - { OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))deflt_get_param_types }, - { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))deflt_get_params }, - { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))deflt_query }, +static const OSSL_DISPATCH fips_dispatch_table[] = { + { OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types }, + { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params }, + { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query }, { 0, NULL } }; -OSSL_provider_init_fn ossl_default_provider_init; - -int ossl_default_provider_init(const OSSL_PROVIDER *provider, - const OSSL_DISPATCH *in, - const OSSL_DISPATCH **out) +int OSSL_provider_init(const OSSL_PROVIDER *provider, + const OSSL_DISPATCH *in, + const OSSL_DISPATCH **out) { for (; in->function_id != 0; in++) { switch (in->function_id) { @@ -90,12 +88,12 @@ int ossl_default_provider_init(const OSSL_PROVIDER *provider, case OSSL_FUNC_CORE_GET_PARAMS: c_get_params = OSSL_get_core_get_params(in); break; + /* Just ignore anything we don't understand */ default: - /* Just ignore anything we don't understand */ break; } } - *out = deflt_dispatch_table; + *out = fips_dispatch_table; return 1; } diff --git a/test/build.info b/test/build.info index 8bf286e..ded3bd7 100644 --- a/test/build.info +++ b/test/build.info @@ -186,6 +186,9 @@ IF[{- !$disabled{tests} -}] SOURCE[evp_extra_test]=evp_extra_test.c INCLUDE[evp_extra_test]=../include ../apps/include ../crypto/include DEPEND[evp_extra_test]=../libcrypto libtestutil.a + IF[{- $disabled{fips} || !$target{dso_scheme} -}] + DEFINE[evp_extra_test]=NO_FIPS_MODULE + ENDIF SOURCE[igetest]=igetest.c INCLUDE[igetest]=../include ../apps/include diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index d09eb31..724a144 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1098,12 +1098,14 @@ static int calculate_digest(const EVP_MD *md, const char *msg, size_t len, * Test 0: Test with the default OPENSSL_CTX * Test 1: Test with an explicit OPENSSL_CTX * Test 2: Explicit OPENSSL_CTX with explicit load of default provider + * Test 3: Explicit OPENSSL_CTX with explicit load of default and fips provider + * Test 4: Explicit OPENSSL_CTX with explicit load of fips provider */ static int test_EVP_MD_fetch(int tst) { OPENSSL_CTX *ctx = NULL; EVP_MD *md = NULL; - OSSL_PROVIDER *prov = NULL; + OSSL_PROVIDER *defltprov = NULL, *fipsprov = NULL; int ret = 0; const char testmsg[] = "Hello world"; const unsigned char exptd[] = { @@ -1117,9 +1119,14 @@ static int test_EVP_MD_fetch(int tst) if (!TEST_ptr(ctx)) goto err; - if (tst == 2) { - prov = OSSL_PROVIDER_load(ctx, "default"); - if (!TEST_ptr(prov)) + if (tst == 2 || tst == 3) { + defltprov = OSSL_PROVIDER_load(ctx, "default"); + if (!TEST_ptr(defltprov)) + goto err; + } + if (tst == 3 || tst == 4) { + fipsprov = OSSL_PROVIDER_load(ctx, "fips"); + if (!TEST_ptr(fipsprov)) goto err; } } @@ -1132,8 +1139,8 @@ static int test_EVP_MD_fetch(int tst) goto err; /* - * Test that without loading any providers or specifying any properties we - * can get a sha256 md from the default provider. + * Test that without specifying any properties we can get a sha256 md from a + * provider. */ if (!TEST_ptr(md = EVP_MD_fetch(ctx, "SHA256", NULL)) || !TEST_ptr(md) @@ -1152,28 +1159,67 @@ static int test_EVP_MD_fetch(int tst) md = NULL; /* - * We've only loaded the default provider so explicitly asking for a - * non-default implementation should fail. + * In tests 0 - 2 we've only loaded the default provider so explicitly + * asking for a non-default implementation should fail. In tests 3 and 4 we + * have the FIPS provider loaded so we should succeed in that case. */ - if (!TEST_ptr_null(md = EVP_MD_fetch(ctx, "SHA256", "default=no"))) - goto err; + md = EVP_MD_fetch(ctx, "SHA256", "default=no"); + if (tst == 3 || tst == 4) { + if (!TEST_ptr(md) + || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg), + exptd))) + goto err; + } else { + if (!TEST_ptr_null(md)) + goto err; + } - /* Explicitly asking for the default implementation should succeeed */ - if (!TEST_ptr(md = EVP_MD_fetch(ctx, "SHA256", "default=yes")) - || !TEST_int_eq(EVP_MD_nid(md), NID_sha256) - || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg), exptd)) - || !TEST_int_eq(EVP_MD_size(md), SHA256_DIGEST_LENGTH) - || !TEST_int_eq(EVP_MD_block_size(md), SHA256_CBLOCK)) - goto err; + EVP_MD_meth_free(md); + md = NULL; + + /* + * Explicitly asking for the default implementation should succeeed except + * in test 4 where the default provider is not loaded. + */ + md = EVP_MD_fetch(ctx, "SHA256", "default=yes"); + if (tst != 4) { + if (!TEST_ptr(md) + || !TEST_int_eq(EVP_MD_nid(md), NID_sha256) + || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg), + exptd)) + || !TEST_int_eq(EVP_MD_size(md), SHA256_DIGEST_LENGTH) + || !TEST_int_eq(EVP_MD_block_size(md), SHA256_CBLOCK)) + goto err; + } else { + if (!TEST_ptr_null(md)) + goto err; + } EVP_MD_meth_free(md); md = NULL; + /* + * Explicitly asking for a fips implementation should succeed if we have + * the FIPS provider loaded and fail otherwise + */ + md = EVP_MD_fetch(ctx, "SHA256", "fips=yes"); + if (tst == 3 || tst == 4) { + if (!TEST_ptr(md) + || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg), + exptd))) + goto err; + } else { + if (!TEST_ptr_null(md)) + goto err; + } + + ret = 1; err: EVP_MD_meth_free(md); - OSSL_PROVIDER_unload(prov); + OSSL_PROVIDER_unload(defltprov); + OSSL_PROVIDER_unload(fipsprov); OPENSSL_CTX_free(ctx); return ret; } @@ -1207,6 +1253,10 @@ int setup_tests(void) ADD_ALL_TESTS(test_invalide_ec_char2_pub_range_decode, OSSL_NELEM(ec_der_pub_keys)); #endif +#ifdef NO_FIPS_MODULE ADD_ALL_TESTS(test_EVP_MD_fetch, 3); +#else + ADD_ALL_TESTS(test_EVP_MD_fetch, 5); +#endif return 1; } diff --git a/test/recipes/30-test_evp_extra.t b/test/recipes/30-test_evp_extra.t index 98ecf26..b6fd97a 100644 --- a/test/recipes/30-test_evp_extra.t +++ b/test/recipes/30-test_evp_extra.t @@ -10,9 +10,12 @@ use strict; use warnings; -use OpenSSL::Test; +use OpenSSL::Test qw/:DEFAULT bldtop_dir/; setup("test_evp_extra"); plan tests => 1; + +$ENV{OPENSSL_MODULES} = bldtop_dir("providers"); + ok(run(test(["evp_extra_test"])), "running evp_extra_test");